gluon-ebtables-limit-arp: a package for ARP rate-limiting

This package adds filters to limit the amount of ARP Requests
devices are allowed to send into the mesh from a particular node to
1 per second on average.

A burst of up to 50 ARP Requests is allowed until the rate-limiting
takes effect (see --limit-burst in the ebtables manpage).

Furthermore, ARP Requests with a target IP already present in the
batman-adv DAT Cache are excluded from the rate-limiting,
both regarding counting and filtering, as batman-adv will respond
locally with no burden for the mesh. Therefore, this limiter
should not affect popular target IPs, like gateways.

However it should mitigate the problem of curious people or
smart devices scanning the whole IP range. Which could create
a significant amount of overhead for all participants so far.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>

package/gluon-ebtables-limit-arp/Makefile

@@ -0,0 +1,54 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-ebtables-limit-arp
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include ../gluon.mk
+
+define Package/gluon-ebtables-limit-arp
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Ebtables limiter for ARP packets
+  DEPENDS:=+gluon-core +gluon-ebtables
+endef
+
+define Package/gluon-ebtables-limit-arp/description
+	Gluon community wifi mesh firmware framework: Ebtables rules to
+	rate-limit ARP packets.
+
+	These filters limit the amount of ARP Requests devices are allowed
+	to send into the mesh from a particular node to 1 per second on
+	average.
+
+	A burst of up to 50 ARP Requests is allowed until the rate-limiting
+	takes effect (see --limit-burst in the ebtables manpage).
+
+	Furthermore, ARP Requests with a target IP already present in the
+	batman-adv DAT Cache are excluded from the rate-limiting,
+	both regarding counting and filtering, as batman-adv will respond
+	locally with no burden for the mesh. Therefore, this limiter
+	should not affect popular target IPs, like gateways.
+
+	However it should mitigate the problem of curious people or
+	smart devices scanning the whole IP range. Which could create
+	a significant amount of overhead for all participants so far.
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/gluon-ebtables-limit-arp/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,gluon-ebtables-limit-arp))

package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables-worker/100-arp-limit.lua

@@ -0,0 +1,25 @@
+#!/usr/bin/lua
+
+local nixio = require('nixio')
+
+if not nixio.getenv("EBTABLES_ATOMIC_FILE") then
+	print("Error: Refusing to run without EBTABLES_ATOMIC_FILE")
+	os.exit(1)
+end
+
+os.execute("ebtables -F ARP_LIMIT_DATCHECK")
+
+local popen = io.popen("batctl dc -H")
+for line in popen:lines() do
+	local t={} ; i=1
+	local bar = line:gmatch("(%d+\.%d+\.%d+\.%d+)%s+(%w+:%w+:%w+:%w+:%w+:%w+)")
+	local ip, mac
+
+	for a, b in bar do
+		ip = a
+		mac = b
+	end
+
+	os.execute("ebtables -I ARP_LIMIT_DATCHECK -p ARP --arp-ip-dst " .. ip .. " -j mark --mark-or 0x2 --mark-target RETURN")
+end
+popen:close()

package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/100-arp-limit-chains

@@ -0,0 +1,2 @@
+chain('ARP_LIMIT', 'DROP')
+chain('ARP_LIMIT_DATCHECK', 'RETURN')

package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/320-arp-limit-rules

@@ -0,0 +1,5 @@
+rule('ARP_LIMIT -j ARP_LIMIT_DATCHECK')
+rule('ARP_LIMIT --mark 0x2/0x2 -j RETURN')
+rule('ARP_LIMIT --limit 1/sec --limit-burst 50 -j RETURN')
+
+rule('FORWARD -p ARP --logical-out br-client -o bat0 --arp-op Request -j ARP_LIMIT')